[z/OS]

Distributed identity mapping using SAF

The distributed identity mapping feature using System Authorization Facility (SAF) for z/OS® provides some major benefits, and is new in this version of WebSphere® Application Server.

New feature New feature: This release of WebSphere Application Server enables you to use z/OS System Authorization Facility (SAF) security to associate a SAF user ID with a distributed identity. When you use this feature, you can maintain the original identity information of a user for audit purposes and have less to configure in WebSphere Application Server. newfeat

Your z/OS security product must be at the appropriate version that supports the distributed identity mapping. The correct SAF version is 7760 or later. For Resource Access Control Facility (RACF®), you must be at z/OS version 1.11 or later.

Some advantages in using this feature include:
Note: The SAF distributed identity mapping feature is not supported in a mixed-version cell (nodes prior to WebSphere Application Server Version 8.0).

Benefits when using distributed identity mapping

Distributed identity mapping in SAF provides two major benefits:
  • When a user is audited on the z/OS operating system using SMF, the audit record contains both the distributed identity and the mapped SAF user ID. This improves cross-platform interoperability and provides value for both host centric and heterogeneous application environments.
  • The mapping of distributed identities is handled by the z/OS security administrator. There is no need to configure mapping modules in the WebSphere Application Server configuration.

When to use distributed identity mapping

The following scenarios describe how you can use the new distributed identity mapping feature in SAF.
  • Scenario 1: When you have a non-Local OS registry configured with either SAF authorization, z/OS thread identity synchronization (SyncToThread) or the connection manager RunAs thread identity option, you can use this feature to map your registry user to an SAF user. In previous releases, this process had to be done with Java Authentication and Authorization Service (JAAS) login modules that were configured in WebSphere Application Server.

    The advantages of using distributed identity mapping are that the SMF audit records will contain both the distributed user and the SAF user, and that the mapping is controlled by the z/OS Security administrator.

    When mapping a non-Local OS registry user, the distributed user name is the value returned by the WebSphere Application Server WSCredential.getUniqueSecurityName() API. The realm name is determined by the WebSphere Application Server WSCredential.getRealmName() API.

    To enable distributed identity mapping for this scenario, no further changes are needed in the security configuration.

    Note: For scenario 1, if you are using the Federated Repositories registry configured with the UserRegistry bridge, you can still take advantage of the SAF distributed identity mapping feature. If you log in with a SAF user, it is not mapped. However, if you log in with a distributed user, it is mapped to a SAF user.
  • Scenario 2: When you have a Local OS registry configured on the z/OS platform with Kerberos or SPNEGO enabled, you can map the Kerberos principal name to a SAF user using the distributed identity mapping feature. In previous releases, you could use either a JAAS mapping login module that was configured in WebSphere Application Server or the KERB segment of the SAF user in the z/OS security product.

    The advantage of using distributed identity mapping is that the SMF records will contain both the Kerberos user and the mapped SAF user.

    When mapping a Kerberos user, the distributed user name is the Kerberos principal name. The realm name is the Kerberos realm name of the Kerberos Key Distribution Center (KDC). For more information on creating distributed identity filters in the z/OS security product, read the Distributed identity filters configuration in z/OS security topic.

    To enable distributed identity mapping for this scenario:
    • Navigate to Security > Global security > Kerberos configuration.
    • Select the radial button for Use the RACMAP profiles in the SAF product for distributed identity mapping.

    To make this change with wsadmin scripting, set the security custom property com.ibm.websphere.security.krb.useRACMAPMappingToSAF=true.

  • Scenario 3: When you have a Local OS registry configured, you can map an asserted certificate or an asserted distinguished name to a SAF user.

    In previous releases, the first attribute of the asserted DN name was mapped to a SAF user. The advantage of using the distributed identity mapping for an asserted DN is the added flexibility for mapping users, the mapping is controlled by the z/OS security administrator, and the SMF audit records will contain both the asserted DN name and the mapped SAF user ID. In previous releases, an asserted certificate was mapped to a SAF user by using the RACDCERT MAP function in SAF. The advantage of using the distributed identity mapping is that the SMF audit records will contain both the certificate DN name and the mapped SAF user ID. Additionally, the SAF database saves space by not having to store the digital certificates.

    When mapping an asserted certificate or DN name in SAF, the distributed user is the DN name and the realm name is the current SAF realm.

    To enable distributed identity mapping for this scenario:
    • Navigate to Security > Global security > CSIv2 Inbound communications.
    • For Attribute later settings, select Map certificate and DN using SAF distributed identity mapping.

    To make this change with wsadmin scripting, set the security custom property com.ibm.websphere.security.certdn.useRACMAPMappingToSAF=true

  • Scenario 4: When you have a Local OS registry configured, you can map a certificate received in the CSIv2 transport layer to a SAF user.

    In previous releases, a certificate was mapped to a SAF user by using the RACDCERT MAP function in SAF. The advantage of using the distributed identity mapping is that the SMF audit records will contain both the certificate DN name and the mapped SAF user ID.

    When mapping a certificate received in the CSIv2 transport layer, the distributed user is the DN name and the realm name is the current SAF realm..Additionally, the SAF database saves space by not having to store the digital certificates.

    To enable distributed identity mapping for this scenario:
    • Navigate to Security > Global security > CSIv2 Inbound communications.
    • For Transport layer settings, select Map certificate using SAF distributed identity mapping.

    To make this change with wsadmin scripting, set the security custom property com.ibm.websphere.security.certificate.useRACMAPMappingToSAF=true.

    Note: If your DN name has a blank space between the attributes, then you should apply the RACF APAR OA34258, or PTF UA59873, and the SAF APAR OA34259, or PTF UA59871, to correctly parse the blanks.
Table 1. Distributed identity mapping scenarios. The following table summarizes the configuration for each of the distributed identity mapping scenarios.
Scenario SAF version User registry SAF authorization=true or SyncToThread=true or runAs=true? JAAS mapping module configured? Kerberos or SPNEGO enabled
Scenario 1 7760 or later (z/OS 1.11 or later for RACF) non-Local OS yes no n/a
Scenario 2 7760 or later (z/OS 1.11 or later for RACF Local OS yes no yes
Scenario 3 7760 or later (z/OS 1.11 or later for RACF Local OS yes no n/a
Scenario 4 7760 or later (z/OS 1.11 or later for RACF Local OS yes no n/a

Considerations when configuring distributed identity mapping

When you configure distributed identity mapping, you must complete the following actions:




Related reference
Distributed identity filters configuration in z/OS security
removeMapPlatformSubject script
SecurityConfigurationCommands command group for the AdminTask object
Related information
Interface WSCredential
Concept topic Concept topic    

Terms and conditions for information centers | Feedback

Last updatedLast updated: Feb 6, 2014 8:11:25 PM CST
http://www14.software.ibm.com/webapp/wsbroker/redirect?version=matt&product=was-nd-mp&topic=csec_identity_saf
File name: csec_identity_saf.html